|
|
|
|
| |
Credit:
The information has been provided by iDEFENSE Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=326&type=vulnerabilities,
http://www.idefense.com/application/poi/display?id=327&type=vulnerabilities,
http://www.idefense.com/application/poi/display?id=328&type=vulnerabilities
The vendor advisory can be found at: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.40/SCOSA-2005.40.txt,
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.41/SCOSA-2005.41.txt
|
| |
Vulnerable Systems:
* SCO Unixware version 7.1.3
* SCO Unixware version 7.1.4
* SCO Openserver version 5.0.7
Unixware Setuid ppp prompt Buffer Overflow:
Local exploitation of a buffer overflow vulnerability in the ppp binary, as included in Unixware, allows attackers to gain root privileges.
The vulnerability specifically exists because of a failure to check the length of user input. If the user running the ppp program enters an argument to the "prompt" or "defprompt" command that exceeds 256 bytes in length, a stack based overflow occurs. This leads to the execution of arbitrary code with root privileges, as ppp is setuid root by default.
Successful exploitation of this vulnerability requires that user have local access to the system; it would allow the user to gain superuser privileges.
Workaround:
As a workaround solution, remove the setuid bit from the backupsh binary until a vendor patch can be applied.
# chmod u-s /usr/bin/ppp
Openserver authsh 'Home' Buffer Overflow:
Local exploitation of a buffer overflow vulnerability in Openserver operating system could allow an attacker to gain root privileges.
The authsh utility is a standard binary distributed with the Openserver platform. The vulnerability specifically exists because of a lack of bounds checking on the value given to the "HOME" environment variable.
Local attackers can supply a specially crafted string to overflow a stack buffer and execute arbitrary code with group auth privileges.
Successful exploitation of this vulnerability will result in execution of arbitrary code with permissions of the running process. The binary is setgid auth by default and can be used by attackers with a local account to gain root privileges, as the group auth has write access to system authentication information. An attacker would only need to modify the system passwd file to grant an account they control superuser privileges.
Workaround:
As a workaround solution, remove the setgid bit from the authsh binary until a vendor patch can be applied.
# chmod -g /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/authsh
backupsh 'Home' Buffer Overflow:
Local exploitation of a buffer overflow vulnerability Openserver operating system could allow an attacker to gain access to the backup group.
The backupsh utility is a standard binary distributed with the Openserver platform. The vulnerability specifically exists because of a lack of bounds checking on the value given to the "HOME" environment variable.
Local attackers can supply a specially crafted string to overflow a stack buffer and execute arbitrary code with group backup privileges.
Successful exploitation of this vulnerability will result in execution of arbitrary code with permissions of the running process. The binary is setgid backup by default and can be used by attackers with a local account to gain backup privileges.
Workaround:
As a workaround solution, remove the setgid bit from the backupsh binary until a vendor patch can be applied.
# chmod g-s /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/backupsh
CVE Information:
CVE-2005-2926
CVE-2005-2927
Disclosure Timeline:
09/08/2005 - Initial vendor notification
09/09/2005 - Initial vendor response
10/24/2005 - Public disclosure
|
|
|
|
|
